Description of Campaign
Victims, mainly in the government and foreign affairs sectors of Europe, are being targeted by APT29 with malware that's hosted on cloud storage services. Dropbox, and in some events Trello, is being leveraged for its hosting services for C2 communication and retrieval of additional payloads. In the event where APT29 utilizes an HTML Smuggling technique, a compromised or spoofed email address is used to send a spear-phishing email with a malicious HTML attachment. Once executed, the attachment runs embedded JavaScript code that decodes and saves content to an archive. In other instances, an IMG file is used to deliver a decoy PDF document and an LNK file. When executed, the user is presented with a blank PDF, and the LNK file is used to launch CMD and side-load a malicious DLL file.

Our ATR team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Cluster25 and shared publicly.

How to use this article:

1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. 
2. Review the product detection table and confirm that your environment is at least on the specified content version.
   To download the latest content versions, go to the Security Updates page.
3. Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
4. Review KB91836 - Countermeasures for entry vector threats.
5. Review KB87843 - Dynamic Application Containment rules and best practices.
6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

Threat Hunting

YARA

import "pe" rule APT29_Loader_87221_00001 { meta: author = "Cluster25" tlp = "white" description = "Detects DLL loader variants used in Nobelium kill-chain" hash1 = "6fc54151607a82d5f4fae661ef0b7b0767d325f5935ed6139f8932bc27309202" hash2 = "23a09b74498aea166470ea2b569d42fd661c440f3f3014636879bd012600ed68" strings: $s1 = "%s\\blank.pdf" fullword ascii $s2 = "%s\\AcroSup" fullword ascii $s3 = "vcruntime140.dll" fullword ascii $s4 = "ME3.99.5UUUUUUUUUUU" fullword ascii $c1 = "Rock" fullword ascii $c2 = ".mp3" fullword ascii $c3 = "%s.backup" fullword ascii $sequence1 = { C7 45 ?? 0B 00 10 00 48 8B CF FF 15 ?? ?? ?? 00 85 C0 74 ?? 48 8D 55 ?? 48 89 75 ?? 48 8B CF FF 15 ?? ?? ?? 00 85 C0 74 ?? 48 8B CF FF 15 ?? ?? ?? 00 } // Thread contect change $sequence2 = { 0F B6 0B 4C 8D 05 ?? ?? ?? 00 89 4C 24 ?? 4D 8B CD 49 8B CD BA 04 01 00 00 E8 ?? ?? ?? ?? 48 8D 5B 01 48 83 EF 01 75 ?? } // encoding cycle $sequence3 = { 4C 8D 8C 24 ?? 00 00 00 8B 53 ?? 44 8D 40 ?? 48 03 CD 44 89 A4 24 ?? 00 00 00 FF 15 ?? ?? ?? 00 8B 43 ?? 44 8B 43 ?? 4A 8D 14 38 48 8D 0C 28 E8 ?? ?? 00 00 8B 4B ?? 4C 8D 8C 24 ?? 00 00 00 8B 53 ?? 48 03 CD 44 8B 84 24 ?? 00 00 00 FF 15 ?? ?? ?? 00 } //DLL Unhook $sequence4 = { 42 0F B6 8C 32 ?? ?? ?? 00 48 83 C2 03 88 0F 48 8D 7F 01 48 83 FA 2D 7C E7 } // get domain name string condition: uint16(0) == 0x5a4d and filesize < 200KB and pe.imports("kernel32.dll", "SetThreadContext") and pe.imports("kernel32.dll", "ResumeThread") and pe.imports("kernel32.dll", "K32GetModuleFileNameExA") and 3 of ($s*) and all of ($c*) and 3 of ($sequence*) }

YARA

rule APT29_HTMLSmuggling_ZIP_82733_00001 { meta: author = "Cluster25" description = "Rule to detect the EnvyScout HTML smuggling with ZIP payload used in the APT29/Nobelium APT29 chain" date = "2022-05-12" hash = "d5c84cbd7dc70e71f3eb24434a58b2f149d0c39faa7e4157552b60c7dbb53d11" strings: $s1 = "new Blob(" $s2 = "new Uint8Array(" $s3 = "application/octet-stream" $t1 = "saveAs(" $t2 = "download(" $r1 = { 66 6F 72 28 76 61 72 20 69 20 3D 20 30 78 30 3B 20 69 20 3C 20 64 5B 27 6C 65 6E 67 74 68 27 5D 3B 20 69 2B 2B 29 20 7B 0A 20 20 20 20 64 5B 69 5D 20 3D 20 64 5B 69 5D } condition: (filesize > 500KB and all of ($s*) and ($t1 or $t2) and $r1) }

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs change over time; check Trellix Insights for the latest IOCs.
 
Campaign IOC

Type	Value
SHA256	23A09B74498AEA166470EA2B569D42FD661C440F3F3014636879BD012600ED68
SHA256	4C68C840AE1A034D47900EBDC291116726FD37B3AB0B7E026FAD90EAAB84D820
SHA256	7F96D59CB02229529B14761F979F710BCA500C68CC2B37D80E60E751F809475E

Minimum Content Versions

Content Type	Version
V2 DAT (VirusScan Enterprise)	10394
V3 DAT (Endpoint Security)	4846

  
Detection Summary                               

IOC	Scanner	Detection
23A09B74498AEA166470EA2B569D42FD661C440F3F3014636879BD012600ED68	AVEngine V2	Generic trojan.qi
	AVEngine V3	Generic trojan.qi
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
4C68C840AE1A034D47900EBDC291116726FD37B3AB0B7E026FAD90EAAB84D820	AVEngine V2	LNK/Agent-FSW!9EC1FCB11B59
	AVEngine V3	LNK/Agent-FSW!9EC1FCB11B59
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
7F96D59CB02229529B14761F979F710BCA500C68CC2B37D80E60E751F809475E	AVEngine V2	LNK/Agent-FSW!9EC1FCB11B59
	AVEngine V3	LNK/Agent-FSW!9EC1FCB11B59
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-